Security How to install and configuring Fail2ban

Underground Forum

Underground Forum

  • #1

What is Fail2ban​


Fail2ban protects the server from password brute force and SSH hacking and also able to protect certain partitions on a server running Apache or NGINX.

Installing Fail2ban on CentOS​

Fail2ban


# Get the Epel repository:
sudo yum install epel-release

# Install fail2ban
yum install fail2ban -y

# Enable fail2ban autoload
systemctl enable fail2ban

# Check status
systemctl status fail2ban
F2ban status


Fail2ban setup​

You need to find the fail2ban configuration file at /etc/fail2ban/
Fail2ban rules

The main configuration file is fail2ban.conf, but we will make all changes in the jail.local file, since fail2ban.conf may be overwritten after the update.

At the beginning of the file, add the general rules:
[DEFAULT]
# Ban hosts for one hour:
bantime = 3600
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
maxretry = 3
findtime  = 300
bantime  = 10000
If more than 3 unsuccessful attempts were made within 5 minutes, then ip will be banned for 166 minutes.

maxretry - number of attempts
findtime - time interval in seconds
bantime - blocking time in seconds

SSH protection against brute force passwords​

Add new rule for [sshd] after [DEFAULT]

[sshd]
enabled = true

Fail2ban + Apache​

To secure a server running Apache, add this code to jail.local
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 3

[apache-multiport]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 3

[apache-noscript]
enabled = true
port= http,https
filter = apache-noscript
logpath = /var/log/apache2/error.log
maxretry = 3

[apache-overflows]
enabled = true
port= http,https
filter = apache-overflows
logpath = /var/log/apache2/error.log
maxretry = 2


Fail2ban + NGINX​

Add this to the jail.local
[nginx-http-auth]
enabled = true

Fail2ban + MySQL​

Add this to the jail.local
[mysqld-auth]
enabled = true
filter = mysqld-auth
port = 3306

# After editing jail.local, reload fail2ban with the command:
systemctl restart fail2ban
# Check the operation of a specific service, for example sshd:
fail2ban-client status sshd

Sshd


# You can view all rules (jails) using the command
sudo fail2ban-client status

F2ban jail

In this example, protection is enabled for MySQl, NGINX and SSH.
 
Last edited:
You must log in or register to reply here.
Top